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Abstract 


This document provides specific direction to IANA as to the Resource 
Public Key Infrastructure (RPKI) objects it should issue. 
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1. Introduction 


"An Infrastructure to Support Secure Internet Routing" [RFC6480] 
directs IANA [RFC2860] to issue Resource Public Key Infrastructure 
(RPKI) objects for which it is authoritative. This document 
describes the objects IANA will issue. If IANA is directed to issue 
additional RPKI objects in future, this document will be revised and 
a new version issued. 


The signed objects described here that IANA will issue are the 
unallocated, reserved, special use IPv4 and IPv6 address blocks, and 
the unallocated and reserved Autonomous System numbers. These number 
resources are managed by IANA for the IETF; thus, IANA bears the 
responsibility of issuing the corresponding RPKI objects. The reader 
is encouraged to consider the technical effects on the public routing 
system of the signed object issuance proposed for IANA in this 
document. 


This document does not deal with BGP [RFC4271] routing systems, as 
those are under the policy controls of the organizations that operate 
them. Readers are directed to "Local Trust Anchor Management for the 
Resource Public Key Infrastructure" [TA-MGMT] for a description of 
how to locally override IANA issued objects, e.g., to enable use of 
unallocated, reserved, and special use IPv4 and IPv6 address blocks 
in a local context. 
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The direction to IANA contained herein follows the ideal that it 
should represent the ideal technical behavior for registry and 
related registry actions. 


2. Requirements Notation 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
"SHOULD", “SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in [RFC2119]. 


3. Required Reading 


Readers should be familiar with the RPKI, the RPKI repository 
structure, and the various RPKI objects, uses, and interpretations 
described in the following: [RFC6480], [RFC6487], [RFC6482], 
[RFC6493], [TA-MGMT], [RFC6483], [RPKI-USE], [RFC6484], and 
[RFC6486]. 


Note: The addresses used in this document are not example addresses; 
therefore, they are not compliant with [RFC3849], [RFC5735], and 

[RFC5771]. This is intentional, as the practices described in this 
document are directed to specific instances of real world addresses. 


4. Definitions 


Internet Number Resources (INR): The number identifiers for IPv4 
[RFC0791] and IPv6 [RFC2460] addresses, and for Autonomous Systems 
(ASes) . 


IANA: Internet Assigned Numbers Authority (a traditional name, used 
here to refer to the technical team making and publishing the 
assignments of Internet protocol technical parameters). The 
technical team of IANA is currently a part of ICANN [RFC2860]. 


RPKI: Resource Public Key Infrastructure. A Public Key 
Infrastructure designed to provide a secure basis for assertions 
about holdings of Internet number resources. Certificates issued 
under the RPKI contain additional attributes that identify IPv4, 
IPv6, and Autonomous System number resources [RFC6480]. 


ROA: Route Origination Authorization. A ROA is an RPKI object that 
enables the holder of the address prefix to specify an AS that is 
permitted to originate (in BGP) routes for that prefix [RFC6482]. 


AS 0 ROA: A ROA containing a value of 0 in the ASID field. 
"Validation of Route Origination Using the Resource Certificate 
Public Key Infrastructure (PKI) and Route Origination Authorizations 
(ROAs)" [RFC6483] states "A ROA with a subject of AS 0 (AS 0 ROA) is 
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an attestation by the holder of a prefix that the prefix described in 
the ROA, and any more specific prefix, should not be used in a 
routing context." 


"Not intended to be (publicly) routed": This phrase refers to 
prefixes that are not meant to be represented in the global Internet 
routing table (for example 192.168/16 [RFC1918]). 


5. Reserved Resources 


Reserved IPv4 and IPv6 resources are held back for various reasons by 
IETF action. Generally, such resources are not intended to be 
globally routed. An example of such a reservation is 127.0.0.0/8 
[RFC5735]. See Appendixes A and B for IANA reserved resources. 


IANA SHOULD issue an AS 0 ROA for all reserved IPv4 and IPv6 
resources not intended to be routed. The selection of the [RFC2119] 
terminology is intentional as there may be situations where the AS 0 
ROA is removed or not issued prior to an IANA registry action. It is 
not appropriate to place IANA into a situation where, through normal 
internal operations, its behavior contradicts IETF standards. 


There are a small number of reserved resources that are intended to 
be routed, for example 192.88.99.0/24 [RFC3068]. See Appendixes A 
and B for IANA reserved resources. 


IANA MUST NOT issue any ROAs (AS 0 or otherwise) for reserved 
resources that are expected to be globally routed. 


6. Unallocated Resources 


Internet Number Resources that have not yet been allocated for 
special purposes [RFC5736], to Regional Internet Registries (RIRs), 
or to others are considered as not intended to be globally routed. 


IANA SHOULD issue an AS 0 ROA for all Unallocated Resources. The 
selection of the [RFC2119] terminology is intentional as there may be 
situations where the AS 0 ROA is removed or not issued prior to an 
IANA registry action. It is not appropriate to place IANA into a 
situation where, through normal internal operations, its behavior 
contradicts IETF standards. 


7. Special Purpose Registry Resources 
Special Registry Resources [RFC5736] fall into one of two categories 
in terms of routing. Either the resource is intended to be seen in 


the global Internet routing table in some fashion, or it isn’t. An 
example of a Special Registry Resources INR that is intended for 
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global routing is 2001::/32 [RFC4380]. An example of an INR not 
intended to be seen would be 2001:002::/48 [RFC5180]. 


IANA MUST NOT issue any ROAs (AS 0 or otherwise) for Special Purpose 
Registry Resources that are intended to be globally routed. 


IANA SHOULD issue an AS 0 ROA for Special Purpose Registry Resources 
that are not intended to be globally routed. 


8. Multicast 


Within the IPv4 multicast [RFC5771] and IPv6 multicast [RFC4291] 
registries there are a number of Multicast registrations that are not 
intended to be globally routed. 


IANA MUST issue an AS 0 ROA covering the following IPv4 and IPv6 
multicast INRs: 


IPv4: 

- Local Network Control Block 
224.0.0.0 - 224.0.0.255 (224.0.0/24) 

- IANA Reserved portions of RESERVED 
224.1.0.0-224.1.255.255 (224.1/16) 

— RESERVED 
224.5.0.0-224.251.255.255 (251 /16s) 
225.0.0.0-231.255.255.255 (7 /8s) 


IPv6: 

— Node-Local Scope Multicast Addresses 

— Link-Local Scope Multicast Addresses 
IANA MUST NOT issue any ROAs (AS 0 or otherwise) for any other 
multicast addresses unless directed by an IESG-approved Standards 
Track document with an appropriate IANA Considerations section. 


9. Informational Objects 


One informational object that can exist at a publication point of an 
RPKI repository is the Ghostbusters Record [RFC6493]. 


IANA MUST issue a ghostbusters object appropriate in content for the 
resources IANA maintains. 


10. Certificates and Certificate Revocation Lists (CRLs) 
Before IANA can issue a ROA, it MUST first establish an RPKI 


Certification Authority (CA) that covers unallocated, reserved, and 
special use INRs. A CA that covers these INRs MUST contain RFC 3379 
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extensions [RFC3779] for those corresponding number resources in its 
certificate. This CA MUST issue single-use end-entity (EE) 


certificates for each ROA that it generates. The EE certificate will 
conform to the Resource Certificate Profile [RFC6487] and the 
additional constraints specified in [RFC6482]. IANA MUST maintain a 


publication point for this CA’s use and MUST publish manifests 
[RFC6486] (with its corresponding EE certificate) for this 
publication point. IANA MUST issue a CRL under this CA certificate 
for the EE certificates noted above. All objects issued by this CA 
will conform to the RPKI Certificate Policy [RFC6484]. 


11. IANA Considerations 


This document directs IANA to issue, or refrain from issuing, the 
specific RPKI objects described here for the current set of reserved, 
unallocated, and special registry Internet Number Resources. 

Further, IANA MUST notify all other INR registries that RPKI objects 
have been issued for the Internet Number Resources described in this 
document to avoid the potential for issuance of duplicate objects 
that might confuse relying parties. 


12. Security Considerations 


This document does not alter the security profile of the RPKI from 
that already discussed in SIDR WG documents. 
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Appendix A. IANA Reserved IPv4 Address Blocks 


This list of Address Space and RFCs was correct at the time of 
writing this document. 


+-------------------- Sp ee ee +--------- + 
| Prefix | RFC | TBR | 
+—-------------------- +------------------------------------ +--------- + 

0.0.0.0/8 [RFC1122], Section 3.2.1.3 No 

10.0.0.0/8 [RFC1918] No 

| 127.0.0.0/8 | [RFC1122], Section 3.2.1.3 | No 
| 169.254.0.0/16 | [RFC3927] | No | 
| 172.16.0.0/12 | [RFC1918] | No | 
| 192.0.0.0/24 | [RFC5736] | Various | 
| 192.0.2.0/24 | [RFC5737] | No | 
192.88.99.0/24 [RFC3068] | Yes | 

| 192.168.0.0/16 [RFC1918] No 
| 198.18.0.0/15 á | [RFC2544] | No | 
| 198.51.100.0/24 | [RFC5737] | No | 
|  203.0.113.0/24 | [RFC5737] | No | 
| 224.0.0.0/4 | [RFC5771] | No | 

240.0.0.0/4 [RFC1112], Section 4 | No 

| 255.255.255.255/32 [RFC0919], Section 7 and No 
| | [RFC0922], Section 7 | | 
pornn Sa a ala +--------- + 


TBR: To Be Routed, the intention of the RFC pertaining to the 
address block. 


Table 1: IPv4 Address Blocks and 
the RFCs that Direct IANA to Reserve Them 
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IANA Reserved IPv6 Address Blocks 
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This list of Address Space and RFCs was correct at the time of 
writing this document. 


+---------------- +----------- 
| Prefix | REC 
4+---------------- +----------- 
0000::/8 [RFC4291] 
0100::/8 [RFC4291] 
| 0200::/7 | [RFC4291] 
| 0400::/6 | [RFC4291] 
| 0800::/5 | [RFC4291] 
| 1000::/4 | [RFC4291] 
| 4000::/3 | [RFC4291] 
| 6000::/3 | [RFC4291] 
8000::/3 [RFC4291] 
| A000::/3 | [RFC4291] 
| c000::/3 | [RFC4291] 
| E000::/4 | [RFC4291] 
| F000::/5 | [RFC4291] 
| F800::/6 | [RFC4291] 
FC00::/7 [RFC4193] 
| FE00::/9 | [RFC4291] 
| FE80::/10 | [RFC4291] 
| FECO::/10 | [RFC3879] 
| FF00::/8 | [RFC4291] 
2001:0002::/48 | [RFC5180] 
2001:10::/28 [RFC4843] 
4+---------------- +----------- 


+—+ 


+ 


TBR: To Be Routed, the intention of the RFC 
address block. 
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Table 2: IPv6 Address Blocks and 
the RFCs that Direct IANA to Reserve Them 


Standards Track 


[Page 11] 


RFC 6491 IANA RPKI Objects February 2012 


Authors’ Addresses 


Terry Manderson 

Internet Corporation for Assigned Names and Numbers 
4676 Admiralty Way, Suite 330 

Marina del Rey, CA 90292 

United States of America 


Phone: +1-310-823-9358 
EMail: terry.manderson@icann.org 
URI: http://www.iana.org/ 


Leo Vegoda 

Internet Corporation for Assigned Names and Numbers 
4676 Admiralty Way, Suite 330 

Marina del Rey, CA 90292 

United States of America 


Phone: +1-310-823-9358 


EMail: leo.vegoda@icann.org 
URI: http://www.iana.org/ 


Steve Kent 
BBN 


EMail: kent@bbn.com 


Manderson, et al. Standards Track [Page 12] 


